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AMENDMENTS TO THE CLAIMS : 

This listing of claims will replace all prior versions, 
and listings, of claims in the application: 

LISTING OF CLAIMS : 

1-112. (canceled) 

113. (currently amended) An attack defending system 
provided at an interface between an internal network and an 
external network, comprising a computer having a processor and a 
memory to execute software recorded on a tangible medium, the 
software implementing a decoy device and a firewall device, 
wherein the firewall device inputs an input IP packet from the 
external network and forwards it to one of the decoy device and 
the internal network, wherein 

the decoy device comprises: 

an attack detector for detecting presence or absence of 
an attack by executing a service process for the input IP packet 
transferred from the firewall device, and 

the firewall device comprises : 

a packet filter for determining whether the input IP 
packet inputted from the external network is to be accepted, 
based on header information of the input IP packet and a 
filtering condition corresponding to the input IP packet; 
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a destination selector for selecting one of the 
internal network and the decoy device as a destination of the 
input IP packet accepted by the packet filter, based on the 
header information of the input IP packet and a distribution 
condition; and 

a filtering condition manager for managing the 
filtering condition depending on whether the attack detector 
detects an attack based on the input IP packet forwarded to the 
decoy device, wherein 

the destination selector comprises a memory for storing 
as the distribution condition a guiding list containing a set of 
IP addresses unused in the internal network, the destination 
selector selecting the decoy device when a destination IP address 
of the input IP packet matches an unused IP address contained in 
the guiding list. 

114. (previously presented) The attack defending system 
according to claim 113, wherein the firewall device further 
comprises : 

a distribution condition updating section for updating 
the distribution condition depending on whether the attack 
detector detects an attack based on the input IP packet 
transferred to the decoy device. 
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115. (previously presented) The attack defending system 
according to claim 113, wherein the filtering condition manager 
stores the filtering condition with a limited validity period, 
which corresponds to the header information of the input IP 
packet forwarded to the decoy device, wherein, when the limited 
validity period has elapsed, a default filtering condition is 
returned to the packet filter. 

116. (previously presented) The attack defending system 
according to claim 115, wherein the filtering condition manager 
comprises : 

a condition generator for generating a filtering 
condition corresponding to a combination of an attack category of 
an attack detected by the attack detector and address information 
of the input IP packet; and 

a filtering condition controller for dynamically 
updating the filtering condition according to the filtering 
condition generated by the condition generator. 

117. (currently amended) An attack defending system 
provided at an interface between an internal network and an 
external network, comprising a computer having a processor and a 
memory to execute software recorded on a tangible medium, the 
software implementing a decoy device and a firewall device, 
wherein the firewall device inputs an input IP packet from the 
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external network and forwards it to one of the decoy device and 
the internal network, wherein 

the decoy device comprises: 

an attack detector for detecting presence or absence of 
an attack by executing a service process for the input IP packet 
transferred from the firewall device, and 

the firewall device comprises: 

a packet filter for determining whether the input IP 
packet inputted from the external network is to be accepted, 
based on header information of the input IP packet and a 
filtering condition corresponding to the input IP packet; 

a destination selector for selecting one of the 
internal network and the decoy device as a destination of the 
input IP packet accepted by the packet filter, based on the 
header information of the input IP packet and a distribution 
condition; and 

a filtering condition manager for managing the 
filtering condition depending on whether the attack detector 
detects an attack based on the input IP packet forwarded to the 
decoy device, 

wherein the destination selector comprises: 
a packet buffer for storing input IP packets; and 
a monitor for monitoring reception of a destination 
unreachable message after an input IP packet has been transferred 
from the packet buffer to the internal network, 
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wherein, when the monitor detects the reception of the 
destination unreachable message for the input IP packet, the 
input IP packet is transferred from the packet buffer to the 
decoy device. 

118. (previously presented) The attack defending system 
according to claim 117, wherein the firewall device further 
comprises : 

a distribution condition updating section for updating 
the distribution condition depending on whether the attack 
detector detects an attack based on the input IP packet 
transferred to the decoy device. 

119. (previously presented) The attack defending system 
according to claim 117, wherein the filtering condition manager 
stores the filtering condition with a limited validity period, 
which corresponds to the header information of the input IP 
packet forwarded to the decoy device, wherein, when the limited 
validity period has elapsed, a default filtering condition is 
returned to the packet filter. 

120. (previously presented) The attack defending system 
according to claim 119, wherein the filtering condition manager 
comprises : 
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a condition generator for generating a filtering 
condition corresponding to a combination of an attack category of 
an attack detected by the attack detector and address information 
of the input IP packet; and 

a filtering condition controller for dynamically 
updating the filtering condition according to the filtering 
condition generated by the condition generator. 

121. (currently amended) An attack defending system 
provided at an interface between an internal network and an 
external network, comprising a computer having a processor and a 
memory to execute software recorded on a tangible medium, the 
software implementing a decoy device and a firewall device, 
wherein the firewall device inputs an input IP packet from the 
external network and forwards it to one of the decoy device and 
the internal network, wherein 

the decoy device comprises: 

an attack detector for detecting presence or absence of 
an attack by executing a service process for the input IP packet 
transferred from the firewall device, and 

the firewall device comprises : 

a packet filter for determining whether the input IP 
packet inputted from the external network is to be accepted, 
based on header information of the input IP packet and a 
filtering condition corresponding to the input IP packet; 
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a destination selector for selecting one of the 
internal network and the decoy device as a destination of the 
input IP packet accepted by the packet filter, based on the 
header information of the input IP packet and a distribution 
condition; and 

a filtering condition manager for managing the 
filtering condition depending on whether the attack detector 
detects an attack based on the input IP packet forwarded to the 
decoy device, 

wherein the filtering condition manager comprises : 

a condition generator for generating a filtering 
condition corresponding to a combination of an attack category of 
an attack detected by the attack detector and address information 
of the input IP packet; and 

a filtering condition controller for dynamically 
updating the filtering condition according to the filtering 
condition generated by the condition generator. 

122. (previously presented) The attack defending system 
according to claim 121, wherein the header information of an 
input IP packet includes at least one of a source IP address and 
a destination IP address thereof, 

wherein the destination selector selects a destination 
of the input IP packet depending on whether the header 

8 



Docket No. 8046-1041 
Appln. No. 10/643,864 



information of the input IP packet satisfies the distribution 
condition . 

123. (previously presented) The attack defending system 
according to claim 121, wherein the firewall device further 
comprises : 

a distribution condition updating section for updating 
the distribution condition depending on whether the attack 
detector detects an attack based on the input IP packet 
transferred to the decoy device. 

124. (previously presented) The attack defending system 
according to claim 121, wherein the filtering condition manager 
stores the filtering condition with a limited validity period, 
which corresponds to the header information of the input IP 
packet forwarded to the decoy device, wherein, when the limited 
validity period has elapsed, a default filtering condition is 
returned to the packet filter. 

125. (previously presented) The attack defending system 
according to claim 124, wherein the filtering condition manager 
comprises : 

a condition generator for generating a filtering 
condition corresponding to a combination of an attack category of 
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an attack detected by the attack detector and address information 
of the input IP packet; and 

a filtering condition controller for dynamically 
updating the filtering condition according to the filtering 
condition generated by the condition generator. 

126. (currently amended) An attack defending system 
provided at an interface between an internal network and an 
external network, comprising a computer having a processor and a 
memory to execute software recorded on a tangible medium, the 
software implementing a decoy device and a firewall device, 
wherein the firewall device inputs an input IP packet from the 
external network and forwards it to one of the decoy device and 
the internal network, wherein 

the decoy device comprises: 

an attack detector for detecting presence or absence of 
an attack by executing a service process for the input IP packet 
transferred from the firewall device, 

an event memory for temporarily storing events related 
to at least network input/output, file input/output, and process 
creation/termination, and 

an event manager for analyzing cause-effect relations 
of the events stored in the event memory to form links among the 
events; and 

the firewall device comprises: 
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a packet filter for determining whether the input IP 
packet inputted from the external network is to be accepted, 
based on header information of the input IP packet and a 
filtering condition corresponding to the input IP packet; 

a destination selector for selecting one of the 
internal network and the decoy device as a destination of the 
input IP packet accepted by the packet filter, based on the 
header information of the input IP packet and a distribution 
condition; and 

a filtering condition manager for managing the 
filtering condition depending on whether the attack detector 
detects an attack based on the input IP packet forwarded to the 
decoy device. 

127. (previously presented) The attack defending system 
according to claim 126, wherein the header information of an 
input IP packet includes at least one of a source IP address and 
a destination IP address thereof, 

wherein the destination selector selects a destination 
of the input IP packet depending on whether the header 
information of the input IP packet satisfies the distribution 
condition . 
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128. (previously presented) The attack defending system 
according to claim 126, wherein the firewall device further 
comprises : 

a distribution condition updating section for updating 
the distribution condition depending on whether the attack 
detector detects an attack based on the input IP packet 
transferred to the decoy device. 

129. (previously presented) The attack defending system 
according to claim 126, wherein the filtering condition manager 
stores the filtering condition with a limited validity period, 
which corresponds to the header information of the input IP 
packet forwarded to the decoy device, wherein, when the limited 
validity period has elapsed, a default filtering condition is 
returned to the packet filter. 

130. (previously presented) The attack defending system 
according to claim 129, wherein the filtering condition manager 
comprises : 

a condition generator for generating a filtering 
condition corresponding to a combination of an attack category of 
an attack detected by the attack detector and address information 
of the input IP packet; and 
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a filtering condition controller for dynamically 
updating the filtering condition according to the filtering 
condition generated by the condition generator. 

131. (previously presented) The attack defending system 
according to claim 126, wherein the attack detector detects an 
attack from an execution status of the service process according 
to a rule having at least one of domain constraint and type 
constraint added thereto. 

132. (previously presented) The attack defending system 
according to claim 131, wherein the attack detector searches the 
links to extract at least, a generation event of a process 
generating an event to be inspected and a network reception event 
by which the event to be inspected is generated, when 
determination is made based on the domain constraint and the type 
constraint . 

133. (currently amended) An attack defending system 
provided at an interface between an internal network and an 
external network, comprising a computer having a processor and a 
memory to execute software recorded on a tangible medium, the 
software implementing a decoy device and a firewall device, 
wherein the firewall device inputs an input IP packet from the 
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external network and forwards it to one of the decoy device and 
the internal network, wherein 

the decoy device comprises: 

an attack detector for detecting presence or absence of 
an attack by executing a service process for the input IP packet 
transferred from the firewall device, and 

the firewall device comprises: 

a packet filter for determining whether the input IP 
packet inputted from the external network is to be accepted, 
based on header information of the input IP packet and a 
filtering condition corresponding to the input IP packet; 

a destination selector for selecting one of the 
internal network and the decoy device as a destination of the 
input IP packet accepted by the packet filter, based on the 
header information of the input IP packet and a distribution 
condition; and 

a filtering condition manager for managing the 
filtering condition depending on whether the attack detector 
detects an attack based on the input IP packet forwarded to the 
decoy device, 

wherein the attack detector detects an attack from an 
execution status of the service process according to a rule 
having at least one of domain constraint and type constraint 
added thereto. 
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134. (previously presented) The attack defending system 
according to claim 133, wherein the header information of an 
input IP packet includes at least one of a source IP address and 
a destination IP address thereof, 

wherein the destination selector selects a destination 
of the input IP packet depending on whether the header 
information of the input IP packet satisfies the distribution 
condition . 

135. (previously presented) The attack defending system 
according to claim 133, wherein the firewall device further 
comprises : 

a distribution condition updating section for updating 
the distribution condition depending on whether the attack 
detector detects an attack based on the input IP packet 
transferred to the decoy device. 

136. (previously presented) The attack defending system 
according to claim 133, wherein the filtering condition manager 
stores the filtering condition with a limited validity period, 
which corresponds to the header information of the input IP 
packet forwarded to the decoy device, wherein, when the limited 
validity period has elapsed, a default filtering condition is 
returned to the packet filter. 
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137. (previously presented) The attack defending system 
according to claim 136, wherein the filtering condition manager 
comprises : 

a condition generator for generating a filtering 
condition corresponding to a combination of an attack category of 
an attack detected by the attack detector and address information 
of the input IP packet; and 

a filtering condition controller for dynamically 
updating the filtering condition according to the filtering 
condition generated by the condition generator. 

138. (currently amended) An attack defending system 
provided at an interface between an internal network and an 
external network, comprising a computer having a processor and a 
memory to execute software recorded on a tangible medium, the 
software i mp 1 e m e n t i n g a decoy device and a firewall device, 
wherein the firewall device inputs an input IP packet from the 
external network and forwards it to one of the decoy device and 
the internal network, wherein 

the decoy device comprises: 

an attack detector for detecting presence or absence of 
an attack by executing a service process for the input IP packet 
transferred from the firewall device, and 

the firewall device comprises : 
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a packet filter for determining whether the input IP 
packet inputted from the external network is to be accepted, 
based on header information of the input IP packet and a 
filtering condition corresponding to the input IP packet; 

a destination selector for selecting one of the 
internal network and the decoy device as a destination of the 
input IP packet accepted by the packet filter, based on the 
header information of the input IP packet and a distribution 
condition; 

a filtering condition manager for managing the 
filtering condition depending on whether the attack detector 
detects an attack based on the input IP packet forwarded to the 
decoy device; and 

a mirroring device for copying at least a file system 
from a server on the internal network to the decoy device, 
wherein when an attack is detected by the decoy device, the 
mirroring device copies at least the file system from the server 
on the internal network to the decoy device . 

139. (previously presented) The attack defending system 
according to claim 138, wherein the header information of an 
input IP packet includes at least one of a source IP address and 
a destination IP address thereof, 

wherein the destination selector selects a destination 
of the input IP packet depending on whether the header 
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information of the input IP packet satisfies the distribution 
condition . 

140. (previously presented) The attack defending system 
according to claim 138, wherein the firewall device further 
comprises : 

a distribution condition updating section for updating 
the distribution condition depending on whether the attack 
detector detects an attack based on the input IP packet 
transferred to the decoy device. 

141. (previously presented) The attack defending system 
according to claim 138, wherein the filtering condition manager 
stores the filtering condition with a limited validity period, 
which corresponds to the header information of the input IP 
packet forwarded to the decoy device, wherein, when the limited 
validity period has elapsed, a default filtering condition is 
returned to the packet filter. 

142. (previously presented) The attack defending system 
according to claim 141, wherein the filtering condition manager 
comprises : 

a condition generator for generating a filtering 
condition corresponding to a combination of an attack category of 
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an attack detected by the attack detector and address information 
of the input IP packet; and 

a filtering condition controller for dynamically 
updating the filtering condition according to the filtering 
condition generated by the condition generator. 

143. (cancelled) 
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